Backup your Web Application Proxy Settings

We’re happy to have another post from guest blogger Mark Grimes with Microsoft Consultancy Services. Mark has some more great tips for documenting and saving your Web Application Proxy deployment settings for future reference and backup…



Backup your Web Application Proxy Settings – Mark Grimes

Whenever I install Web Application Proxy at a customers’ location, I like to leave some breadcrumbs behind so that they know what was done, how it was configured, and how to reuse that information when possible. By doing the installation, configuration and application publishing with PowerShell, your backup and preservation of settings is done for you. While it is very easy to do installation and configuration through Server Manager and then publishing through the Remote Access Management tool, you don’t get the documentation of what you did in the same way as PowerShell will do for you by virtue of just saving the scripts. Get in the habit of doing all of your installation and configuration with PowerShell and your settings will be saved automatically.

There are three parts to this blog.

  1. First we will provide summarized PowerShell cmdlets to install, configure and publish with Web Application Proxy.

  2. Outline the primary PowerShell cmdlets to gather information about the Web Application Proxy’s Settings.

  3. Wrap it all up with a few combined tips and tricks to create a webpage for the Web Application Proxy configuration.


Documenting the Installation and Configuration of Web Application Proxy

Whenever you install and configure Web Application Proxy, if you do this all with PowerShell, you not only have a nice succinct backup of the process, but also a simple to reuse operations guide for your Web Application Proxy Deployment. In the PowerShell cmdlets below, I highlighted in yellow the parts you will need to change.

Key Assumptions before the core installation and configuration scripts are run below

  1. A Windows Server 2012 R2 AD FS Environment is in place

    See Deploying a Federation Server Farm for “how to

  2. Web Application Proxy Infrastructure is all in place e.g. Active Directory, DNS, addresses, etc. 

  3. Configuration of CAs and certificates has been completed i.e. AD FS Federation Certificate with the private key exists in the Certificate Local Machine store certlm.msc

    See Install and Configure the Web Application Proxy Server

    Likewise, for any applications to publish, it will be assumed that their certificates are also installed with the private keys in certlm.msc as well

  4. To understand more about the differences between publishing applications below with Preauthentication or pass-through se

    Publish Applications using Client Certificate Preauthentication

    Publish Applications using Pass-through Preauthentication


Core Installation and configuration

While all of these bits and pieces are well documented throughout TechNet, this section will just collect, collate and summarize only the PowerShell portions for the purpose of documenting and backing up all of the installation and configuration. You can then reuse these for multiple pre-production and production deployments.

NOTE: Even the titles below are #commented out so you can just copy and paste everything between the dotted lines into the PowerShell ISE Script pane to save, modify and reuse. All you need to modify are the highlights.

#1 Declare Environment Specific Installation Variables

$fscred = get-credential #administrator account w/ local admin rights on AD FS server

$CertCN = "*" # This is the AD FS Federation Service Certificate CName

$FedSvcName = "" # This is the AD FS Federation Service Name

$CertThumbPrint = Get-ChildItem -Path Cert:\LocalMachine\My | where {$PSItem.Subject -like $CertCN } | Select -ExpandProperty Thumbprint


#2 Install Web Application Role

Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

#3 Finish Web Application Proxy Configuration    # Assumes App Certificate is in certlm.msc

Install-WebApplicationProxy –FederationServiceTrustCredential $fscred -CertificateThumbprint $CertThumbPrint -FederationServiceName $FedSvcName

# Publish Passthrough Applications – copy for each app published and adjust

$AppCert = "" # The App Certificates’ CName for each app published

$AppCertThumbPrint = Get-ChildItem -Path Cert:\LocalMachine\My | where {$PSItem.Subject -like $AppCert } | Select -ExpandProperty Thumbprint

#4 Publish Passthrough Application

Get-ChildItem -Path Cert:\LocalMachine\My | where {$PSItem.Subject -like $AppCert } | Select -ExpandProperty Thumbprint

Add-WebApplicationProxyApplication -BackendServerUrl -ExternalCertificateThumbprint $AppCertThumbPrint -ExternalUrl -Name "Passthrough Test 1 Application" -BackendServerCertificateValidation None -ExternalPreauthentication PassThrough

#5 Publish Client Certificate Preauthentication Application #Need to know corresponding AD FS Relying Party Trust per application

$PreAuthAppCert = "" # The App Certificates’ CName for each app published

$PreAuthAppCertThumbPrint = Get-ChildItem -Path Cert:\LocalMachine\My | where {$PSItem.Subject -like $PreAuthAppCert } | Select -ExpandProperty Thumbprint

$PreAuthRP = Get-WebApplicationProxyAvailableADFSRelyingParty | where {$ -like "samp*" } | Select -ExpandProperty Name # Replace samp* with the AD FS RP trust name or the first part of it. NOTE: do just Get-WebApplicationProxyAvailableADFSRelyingParty to see what RP names are available

Add-WebApplicationProxyApplication -Name "PreAuth Sample Federated Application" -ExternalPreauthentication ADFS -ExternalUrl -ExternalCertificateThumbprint $PreAuthAppCertThumbPrint -BackendServerUrl -ADFSRelyingPartyName "$PreAuthRP"

Once you update the highlights above, you have both an operations guide to install and configure your Web Application Proxy environment, plus it is all documented in your PowerShell scripts. For those of you with advanced PowerShell skills, this will make a starting point to do even more advanced script options e.g. simplifying publishing of multiple applications.


Basic Web Application Proxy Server configuration and health cmdlets

Now that you have installed and configured your Web Application Proxy servers, let’s look at some of the core PowerShell commands to get information about the Web Application Proxy Servers and the state of their health. We’ll list just a few as samples that have been found in various blogs and TechNet Articles. Then we’ll combine them all together in the last section to make a nice consolidated webpage to backup most all of the key Web Application Proxy server configurations.

  • Get-Service 'appproxysvc','appproxyctrl','adfssrv' | fl -property *

    This is a great command to show Web Application Proxy Windows services status. But run it and you’ll likely get much more than you want or need. Reduce the number of properties displayed and you can control what you want

  • Get-NetIPAddress -CimSession (New-CimSession -ComputerName ((gwpc).ConnectedServersName)) | ft IPAddress

    This example from one of our blog entries that shows the IP addresses for the Web Application Proxy Servers. In this example, I looked to add a few more useful properties such as the subnet mask and the interface name to benefit the network administrators who would want to know that information.

  • Get-WebApplicationProxy*

    There are 5 of these by default to possibly use.

    1. Get-WebApplicationProxyApplication

      This is a handy command if you never configured you published applications with PowerShell. This can be added to the web page below as an option. But you will also have the applications nicely backed up by virtue of installing them always with PowerShell.

    2. Get-WebApplicationProxyAvailableADFSRelyingParty

      This is one that will be useful to have on hand when publishing. It shows the AD FS Relying Party trusts that exist. If you want to publish applications with preauthentication, this information is handy to have and can be piped out to input into the publishing cmdlets.

    3. Get-WebApplicationProxyProxyConfiguration

      This will give a list of the connected Web Application Servers.

    4. Get-WebApplicationProxyHealth

      This gets the health status of the Web Application Proxy server and the health of the Web Application Proxy services on the Web Application Proxy server. This includes the health status of Web Application Proxy Core as well as the AD FS Proxy

    5. Get-WebApplicationProxySSLCertificate

      This gets the binding information for the AD FS SSL certificate that is installed and configured for the FS proxy component of the Web Application Proxy. 


Create a webpage to backup and display the health and configuration of Web Application Proxy

In many cases, PowerShell will give you far more that you may need or want. There are many PowerShell options to limit what is output as well as how the output is displayed or formatted. If you are a true programmer you can then take this and do even more sophisticated outputs and formatting.

Below, we will just give the PowerShell cmdlets used to make and display a sample webpage below. There is no explanation immediately within the cmdlets below. However, the sources for those tips and tricks to control what and how the output is presented are all in the Reference Links just below this section.

Get-WebApplicationProxyConfiguration | Add-Member -membertype scriptproperty -name ServersList -value {$this.ConnectedServersName -join '; '} -passthru -force | convertto-html ServersList,ADFSUrl -title "WAP Stats" -body "<H2>Web Application Proxy Server | Connected Servers</H2>" > C:\Webpage\WAPConfig.htm

Get-NetIPAddress -CimSession (New-CimSession -ComputerName ((gwpc).ConnectedServersName)) | convertto-html IPAddress, InterfaceAlias, PrefixLength -title "WAP Stats" -body "<H2>Web Application Proxy Server | IP Addresses</H2>" >> C:\Webpage\WAPConfig.htm

Get-Service 'appproxysvc','appproxyctrl','adfssrv' | convertto-html DisplayName, ServiceName,Status -title "WAP Stats" -body "<H2>Web Application Proxy Server | Services Status</H2>" >> C:\Webpage\WAPConfig.htm

Get-WebApplicationProxyApplication | convertto-html Name,ExternalURL, BackendServerUrl -title "WAP Stats" -body "<H2>Web Application Proxy Server | Published Applications List</H2>" >> C:\Webpage\WAPConfig.htm

Get-WebApplicationProxyAvailableADFSRelyingParty | convertto-html Name,Published, ID -title "WAP Stats" -body "<H2>Web Application Proxy Server | AD FS Relying Party Trusts</H2>" >> C:\Webpage\WAPConfig.htm

Once you have run the scripts above, you will end up with a webpage like this:


As you will see from the reference links below, this is only one way to output this information. Now take the lines above, package in a PS1 file and add to a scheduled task and this will be a continuously updated view that can be accessed wherever you would like to publish it.

Taking these concepts a step further, using PowerShell, these tips and tricks can be applied across multiple services and applications. For example, Web Application Proxy’s big brother AD FS! But we’ll leave that one for the AD FS bloggers out there.


Reference Links

Here are the sources that I used to put the webpage above all together, to preserve the installation, configuration and settings of Web Application Proxy. If you have even more free time, and really want to read all of the nitty-gritty details, help yourself to these handy articles below.


Till the next time – Mark @ Microsoft

Comments (3)

  1. Anonymous says:

    Last night I had the pleasure of being a guest speaker on the Azure Podcast, talking about Azure Certifications

  2. Anthony Van den bossche says:

    Hi, a suggestion: add Enablehttpredirect to the property list on the WAPApplication part (only Server 2016!):

    Get-WebApplicationProxyApplication | convertto-html Name,ExternalURL, BackendServerUrl,EnablehttpRedirect -title “WAP Stats” -body “Web Application Proxy Server | Published Applications List” >> C:\Webpage\WAPConfig.htm

Skip to main content